Skip navigation links

MySQL Forums :: Security :: Connecting with SSL


Advanced Search

Re: Connecting with SSL
Posted by: Lars Hanke ()
Date: November 13, 2007 04:49PM

After two days of fiddeling around I solved most of my needs - in particular I solved the situation described above.

Concerning the original question the user name and the CN are not linked in any way. If you require a certain user certificate this is forced by REQUIRE SUBJECT. Therefore, if your PKI is correct, your sample case shold work.

I'd guess that since X509 is SSL related, you could run into trouble, if you have a full match policy defined, but the CN does not match the client's name. Try to use your certificates to setup a mutual SSL connection, e.g. using the openssl test client.

Getting the following access rule running was sometimes tedious, but after all straight forward:

GRANT ALL ON test.* TO 'test'@'%' REQUIRE SUBJECT '/C=DE/.../CN=test' AND CIPHER 'EDH-RSA-DES-CBC3-SHA';

Note that the user certificate for test reads a DN=.../CN=test/emailAddress=test@my.system. The emailAddress tag must not appear in the REQUIREd SUBJECT.

Actually, enforcing the encryption was the most troublesome. I finally hunted it down in syslog

Nov 13 21:44:47 test mysqld[1236]: 071113 21:44:47 [Note] X509 ciphers mismatch: should be 'EDH-RSA-DES-CBC3-SHA' but is 'DHE-RSA-AES256-SHA'

so I changed my required cipher to the stronger one offered by the client

GRANT ALL ON test.* TO 'test'@'%' REQUIRE SUBJECT '/C=DE/.../CN=test' AND CIPHER 'DHE-RSA-AES256-SHA';

and I can connect:

mysql --ssl-ca cacert.pem --ssl-cert test.cert.pem --ssl-key test.pem -u carpora -h mysql.mgr -p -- test

I'm still struggeling with some remaining issues:

1) I do not want to provide a password. I present a certificate and that shall be it.

2) AES256 is definitely good, but I want to also allow clients, which use AES128, 3DES or anything similar. My idea was something like 'MEDIUM:HIGH'. But although this combination includes the offer from the client, it is rejected.

3) I want to restrict the user to a certain netmask, e.g. 172.16.0.0\21 instead of a hostname domain.

All hints for solving these issues are appreciated.

Options: ReplyQuote


Subject Views Written By Posted
Connecting with SSL 21479 Marcel Frigault 11/30/2006 09:18PM
Re: Connecting with SSL 7301 Matthew Boehm 01/10/2007 04:40PM
Re: Connecting with SSL 6778 Kamil JireŇ° 02/05/2008 10:54AM
Re: Connecting with SSL 6501 Allen Wang 08/26/2007 09:13PM
Re: Connecting with SSL 6643 Lars Hanke 11/13/2007 04:49PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.